John The Ripper is a free password cracking tool that runs on a many platforms. It has become one of the best password cracking tools as it combines several other password crackers into a single package and has a number of handy features like automatic hash type detection. Password cracking in Kali Linux using this tool is very straight forward which we will discuss in this post.
John the Ripper uses a 2 step process to crack a password. First, it will use the password and shadow file to create an output file. Later, you then actually use the dictionary attack against that file to crack it. To keep it simple, John the Ripper uses the following two files:
/etc/passwd /etc/shadow
Cracking passwords using John the Ripper
In Linux, password hash is stored in /etc/shadow file. For the sake of this exercise, I will create a new user names john and assign a simple password ‘password’ to him.
I will also add john to sudo group, assign /bin/bash as his shell. There’s a nice article I posted last year which explains user creating in Linux in great details. It’s a good read if you are interested to know and understand the flags and this same structure can be used to almost any Linux/Unix/Solaris operating system. Also, when you create a user, you need their home directories created,
[email protected]:~# useradd -m john -G sudo -s /bin/bash [email protected]:~# passwd john Enter new UNIX password: <password> Retype new UNIX password: <password> passwd: password updated successfully [email protected]:~#
Unshadowing password
[email protected]:~# unshadow Usage: unshadow PASSWORD-FILE SHADOW-FILE [email protected]:~# unshadow /etc/passwd /etc/shadow > /root/johns_passwd
Cracking process with John the Ripper
[email protected]:~# ls -ltrah /usr/share/john/password.lst
[email protected]:~# john --wordlist=/usr/share/john/password.lst /root/johns_passwd Created directory: /root/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status password (john) 1g 0:00:00:06 DONE (2015-11-06 13:30) 0.1610g/s 571.0p/s 735.9c/s 735.9C/s modem..sss Use the "--show" option to display all of the cracked passwords reliably Session completed [email protected]:~#
[email protected]:~# john --show /root/johns_passwd john:password:1000:1001::/home/john:/bin/bash 1 password hash cracked, 1 left [email protected]:~#